On Mon, 22 Sep 2003 19:34:58 -0400
"H. S. Teoh" <hsteoh@quickfur.ath.cx> wrote:
> I've resorted to blocking port 25 to subnets from which these spams
What would help is to be able to block an IP once it's been hit. Thing is
I cannot for the life of me figure out a way to do it. Here's the first 25
that hit me today:
[12.166.16.7]
[12.166.16.7]
[12.166.16.7]
[12.166.16.7]
[12.166.16.7]
[12.166.16.7]
[12.166.16.7]
[12.166.16.7]
[12.17.134.9]
[128.143.2.219]
[128.143.2.219]
[128.146.216.43]
[128.146.216.45]
[129.82.100.130]
[129.82.100.130]
[130.244.199.129]
[130.244.199.132]
[132.64.1.17]
[142.165.19.3]
[142.165.19.5]
[142.169.1.100]
[144.135.24.153]
[144.135.24.153]
Notice the duplicates. Now if I could enter a blacklist entry into
shorewall after the first hit...
root@teleute:/var/log/exim4# grep -i malware mainlog | awk '{print $5}' | sort
| wc -l
743
root@teleute:/var/log/exim4# grep -i malware mainlog | awk '{print $5}' | sort
| uniq | wc -l
336
I'd drop the load from 743 down to 336. Assuming all of those are Swen or
some variant then it would be a savings of about 4Mb so far today.
Of course that's what's gotten past the IPs I've already blacklisted.
--
Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
PGP Key: 8B6E99C5 | main connection to the switchboard of souls.
-------------------------------+---------------------------------------------
Attachment:
pgpzbqzMJQRWW.pgp
Description: PGP signature